Re: OpenID. The future of authentication on the web?

[Abe Getchell <me () abegetchell com>]

Wanted the below to go to the list.

-  
Abe Getchell
me () abegetchell com
http://abegetchell.com/

-------- Forwarded Message --------
> From: Abe Getchell <me () abegetchell com>
> Reply-To: me () abegetchell com
> To: Paul Schmehl <pauls () utdallas edu>
> Subject: Re: [Full-disclosure] OpenID. The future of authentication on
> the web?
> Date: Mon, 24 Mar 2008 10:27:48 -0400
>
> On Sun, 2008-03-23 at 17:37 -0500, Paul Schmehl wrote:
> > Yes, and convenience is often the enemy of security.
>
> Convenience is not necessarily the enemy of security, rather a fine line
> exists between usability (of which convenience is a component) and
> security. What is considered an acceptable risk when balancing the two
> is a personal view point or company policy.
>
> > However, with OpenID, all I have to do is figure out how to capture your 
> > credentials (which does not require that I compromise OpenID), and I can 
> > own everything that you own.  At least with the disparate systems we have 
> > now you only get those things where I've been foolish enough to use the 
> > same credentials.  Even then you have to figure out what those systems 
> > are.  With OpenID I simply try every site that uses OpenID, trivial to do 
> > programmatically.
>
> Let's compare OpenID and your home security. The OpenID technology is
> much like the key/lock combination on the external door(s) of your home.
> You have one key (username/password) that allows only you access to your
> entire home and all of the belongings inside (personal information).
> Having separate lockable doors which require a different key between
> each room in your home is comparable to having a separate
> username/password for every website to which you have access. The
> differences in usability and security, in both cases, are obvious. You
> trust the security of your belongings and family to the single key/lock
> combination on the front of your home, why wouldn't you trust the
> security of your personal information online to a comparable system? A
> credit report is much easier to clean up than the blood of a family
> member. Extreme and gruesome, yes, but there's truth in that statement.
>
> > The problem is, I have to trust the OpenID provide to both secure his/her 
> > systems and hire trustworthy help.  I have to do the same locally, but I 
> > have a great deal more control and ability to monitor.
>
> When was the last time you had a copy of your key made at the local
> hardware store? How do you know they are not making an extra copy? Did
> they do a background check on the individual who is making the copy?
> What about the previous owners or renters of your home? Did the person
> who owned or rented the home previously return or destroy the keys? Did
> they make any copies and give them to anyone else? Did the person that
> made those copies make any extras? You have less control than you think.
>
> I understand your concerns in concept and appreciate the paranoia. It's
> what makes good security people good security people. When it comes down
> to it, though, you have to take on a certain amount of risk to make a
> system usable and available by end-users. I really hope that the
> industry starts to center their discussions about this technology around
> mitigating these risks rather than simply stating that the idea is a bad
> one.
>
> -  
> Abe Getchell
> me () abegetchell com
> http://abegetchell.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/